WebSafe is PostX’s powerful Web-mail portal system. Designed with all of the features of a Hotmail-style system, WebSafe allows users to create, reply to, and manage e-mail messages in a secure environment. WebSafe is completely integrated with the PostX system so that all user access is logged for auditing purposes.

PostX Enterprise Platform is so flexible that it can be quite overwhelming. By using Matchers, you can specify the exact path e-mail will take through your system, optionally routing messages to other services based on various criteria. For example, I was able to create a Matcher that checked for a regular expression in the subject field of the message and, if true, would then deliver it via Registered Envelope instead of Offline Envelope. Using combinations of Matchers and applications, you can create policies and work flows that meet your business processing and security needs.

But again, this flexibility comes at a price. PostX Enterprise Platform is not the most intuitive product to work with, and it will take some time and experimentation to get your mail processes defined and bug free. With the help of PostX support, I was able to create rules for various mail domains and situations. Make sure you keep the documentation handy.

SigabaSecure Email 5.0

Sigaba Secure Email takes a granular view of secure mail processing through extensive use of rules and object lists. SendAnywhere is Sigaba’s zero-footprint delivery technology and Sigaba Vault provides a secure Web-based portal system. Secure Email includes support for AES and 3DES. Server-to-server transmission is secured using S/MIME or a proprietary Sigaba protocol, but TLS is not supported. Sigaba Secure Email includes a HIPAA (Health Insurance Portability and Accountability Act) keyword list to ensure compliance, and optional add-ons include content filtering and McAfee anti-virus. Custom branding and secure statement delivery are also part of the system.

Click for larger view.

Like the other products in our review, Secure Email can deliver e-mail to recipients in a variety of ways. Sigaba SendAnywhere allows users to send encrypted messages and reply securely without special client-side software. As with PGP and PostX’s Registered Envelopes, Click for larger view. SendAnywhere requires recipients to be online in order to decrypt the message, which is done by opening an HTML attachment and authenticating to the Sigaba server via the Web. This requirement makes offline decryption impossible. Nor is SendAnywhere designed to deliver mail to "untrusted" users. Sigaba does not support self-registration; an account must be created by an administrator before a recipient can receive secure mail.

Like the other products in our review, Secure Email can deliver e-mail to recipients in a variety of ways. Sigaba SendAnywhere allows users to send encrypted messages and reply securely without special client-side software. As with PGP and PostX’s Registered Envelopes, Click for larger view. SendAnywhere requires recipients to be online in order to decrypt the message, which is done by opening an HTML attachment and authenticating to the Sigaba server via the Web. This requirement makes offline decryption impossible. Nor is SendAnywhere designed to deliver mail to "untrusted" users. Sigaba does not support self-registration; an account must be created by an administrator before a recipient can receive secure mail.

Sigaba provides a plug-in for all the major Windows e-mail clients that handles encryption and decryption automatically, much like the one found in PostX. The plug-in handles user authentication back to the Sigaba keyserver and, like SendAnywhere, requires users to be online in order to encrypt and decrypt messages. Opened messages can be saved in the clear for offline reading.

The Sigaba Vault is Sigaba's method for delivering secure mail through a Web portal. Similar to PostX’s and Tumbleweed’s online portals, Sigaba Vault provides a way to deliver encrypted messages to end users without relying on client-side software; recipients simply click a link directing them back to Sigaba Vault, where they log in via SSL with a username and password. Vault presents all of their e-mail to them already decrypted. Like PGP Web Messenger, Sigaba Vault does not allow users to create new mail or organize messages in folders.

A neat feature not found in the other products is the Affiliate Gateway. The Gateway installs on a business partner’s server and provides authentication, encryption, and policy enforcement, allowing you and your business partner to easily exchange encrypted e-mail without requiring changes to their mail system. No client software is needed and all mail is decrypted at the gateway.

Rule sets and lists in Sigaba allow you to fine-tune your mail flow. You can define specific inbound and outbound policies based on users, domains, and message subject, as well as on header tags and strings found in the body of the message. Sigaba also supports the use of regular expressions in search strings for even more control.

Tumbleweed Secure Messenger 6.0

Tumbleweed Secure Messenger doesn’t miss a beat when it comes to mail security, providing all of the necessary pieces to the secure messaging puzzle. Secure Messenger has a very powerful and flexible policy engine that allows you to create rules based on domain, message, and user, among other things. Secure Messenger also performs virus scanning, spam filtering, and content filtering. Secure Messenger can even perform weighted word analysis to help detect messages that might fail to comply with HIPAA or other regulations.

Secure Messenger provides universal message delivery, allowing end users to receive messages using their desktop mail client or Web-based mail system. E-mail is encrypted using AES or 3DES, with S/MIME and TLS available for site-to-site protection. To speed up the enrollment of business partners, you can even let Secure Messenger harvest S/MIME certificates on inbound messages to auto-associate users and keys.

The heart and soul of Secure Messenger is the policy engine. There are so many different criteria that can be applied to a message, there is realistically no situation that Secure Messenger cannot handle. Policies can be applied to either the sender or recipient, and messages routed or otherwise manipulated by the policy engine. For example, I created a policy to catch inbound messages that contained executable files. When triggered, the file attachments were removed and text was inserted into the body of the message alerting the recipient that an executable file was stripped. Secure Messenger then placed a copy of the original message in an archive and tagged it "Executable" for later inspection.

Tumbleweed has every right to brag about Secure Messenger’s policy engine, but as with PostX Enterprise Platform, such configurability comes at a cost. There are so many options and ways to assemble lists and policies that you can quickly become lost in a maze of choices. After I spent some time using the system, navigating wasn’t nearly as difficult as at first, but policy creation still made my eyes cross.

Like PostX, Tumbleweed uses a digital envelope metaphor for delivering encrypted e-mail, whether the user receives the message via a mail client in-box or a Web-based mail service such as Hotmail. Secure Envelope contains the message, the decryption key, and the decryption engine all in one package, so it does not require the recipient to be online in order to open the message.

For browser-based mail-users, the envelope is an encrypted HTML attachment. Simply open the attachment with your browser and enter your password. Everything needed to decrypt the message is included in the envelope. It's similar to Sigaba's SendAnywhere, but does not require the recipient to be online to open the message.

Tumbleweed provides a great deal of administrative flexibility, which could result in some users accidentally sending sensitive messages in the clear. As a safeguard, Secure Messenger also allows you to create a policy that would route such a message to the secure portal and replace the original message with a custom message containing a link. There, the user logs into Secure Messenger’s Web portal and retrieves their mail in an SSL-secured session.

Unlike PGP, PostX, and Sigaba, Tumbleweed does not provide any way to encrypt e-mail at the desktop. Whether this is a security shortcoming or an advantage seems to be in the eye of the beholder. According to Tumbleweed, mail clients that use RPC to communicate with the mail server, such as Microsoft Outlook and Lotus Notes, are already safe from snooping. Further, encrypting at the desktop can prevent messages from being properly inspected at the gateway. For IT managers, the question ultimately boils down to whether you trust your local network.

All four of these products are powerful, sophisticated, and effective at locking down e-mail. PostX and Tumbleweed provide the greatest flexibility, while PGP and Sigaba offer more straightforward security. Deciding on which system to implement will depend heavily on your business and what you are trying to accomplish. If you want powerful rules-based processing to automate much of your mail security, then take a hard look at both PostX and Tumbleweed. If you want desktop-to-desktop encryption, then PGP is the best choice, with strong support from Sigaba and PostX. If you must fit a broad range of users and guard against every contingency, PostX comes closest to covering all the bases.